Security and the protection of digital assets is a key enabler of our information-driven economy. The information security industry has evolved from a niche corner of information technology to something that pervades the industry itself. Despite this increased attention to security, the complexity of information systems and the reliance upon them creates a fragility that adds up to risk to organizations of all sizes. Vulnerabilities are inherent in nearly everything, and computer systems are no exception. Software vulnerabilities have many different origins. For instance, in some cases, a coding standard can be poorly written, causing all software written to these specifications to be faulty.
Bugs are an inevitable reality of the software development process, and some of these bugs can create serious vulnerabilities. Additional vulnerabilities may be introduced when a system is installed, configured, and customized for individual use. In general, any stage during the software development and usage lifecycles creates risk for the introduction of vulnerabilities. Some vulnerabilities are innocuous and some can be critical in nature. Identifying the key risks and their solutions is one of the most critical aspects of information security.
Research has historically shown that successful malicious penetrations upon computer systems and well known worms and viruses have been based upon known vulnerabilities. Vulnerabilities may exist at any aspect of computing systems. For instance, vulnerabilities may exist in typical desktop applications and/or operating systems, network layer components, etc. Furthermore, vulnerabilities may exist at the application layer, which may include weaknesses created by the integration of one or more application components, including in-house custom programming, operating systems, databases, web pages, and middleware. These vulnerabilities are potentially unique to each integrated system and can be added and removed dynamically with each change to any system component.
Currently, there are various vulnerability assessment solutions that enable IT professionals to proactively address vulnerabilities at various aspects of computing systems, including network layer, application layer, etc. By way of example, various tools exist for identifying security vulnerabilities in computing systems. Anti-virus tools exist for determining desktop vulnerabilities in applications, operating systems, etc. Within the web application space, various assessment tools also exist, which may employ various heuristics to identify vulnerabilities in web applications. Typically, web application assessment tools have the ability to identify dynamic “unique” vulnerabilities using adaptive and behavioral techniques, as well as standard “static” vulnerabilities. Web application assessment tools may map an entire web system, including all links, proprietary code, connections to data sources, etc.
Despite the existence of various types of proactive tools for assessing vulnerabilities in computing systems, there is a need for improved systems, methods, software, etc. for performing application assessment.